Menu
▾
▴
Re: problems with start_tls
|
From: Chris R. <chr...@ma...> - 2003-01-16 19:14:30
|
On 16/1/03 6:04 pm, Keith A. Clay <cl...@ac...> wrote:
> Folks,
>
> Here is my program on RedHat 8.0 with perl 5.8.0 and the current
> versions of perl-ldap and IO::Socket::SSL:
>
> use Net::LDAP;
>
> my $lds=Net::LDAP->new('oracleOidServer',
> version=>'3',
> debug => '12',
> );
>
> $result = $lds->start_tls ( verify => 'required',
> cafile => 'oracle.pem',
> );
>
> print "TLS_RESULT: $result\n";
> print "TLS_CODE: " . $result->code . "\n";
> print "TLS_MESS: " . $result->error . "\n";
> print "TLS_Cipher: " . $lds->version . "\n";
>
>
> Here is the result:
> Net::LDAP=HASH(0x804c120) sending:
> 0000 29: SEQUENCE {
> 0002 1: INTEGER = 1
> 0005 24: [APPLICATION 23] {
> 0007 22: [CONTEXT 0]
> 0009 : 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 31 34 36 36
> 1.3.6.1.4.1.1466
> 0019 : 2E 32 30 30 33 37 __ __ __ __ __ __ __ __ __ __ .20037
> 001F : }
> 001F : }
> Net::LDAP=HASH(0x804c120) received:
> 0000 35: SEQUENCE {
> 0002 1: INTEGER = 1
> 0005 30: [APPLICATION 24] {
> 0007 1: ENUM = 12
> 000A 0: STRING = ''
> 000C 23: STRING = 'Currently Not Supported'
> 0025 : }
> 0025 : }
> TLS_RESULT: Net::LDAP::Extension=HASH(0x8066c10)
> TLS_CODE: 12
> TLS_MESS: Currently Not Supported
> TLS_Cipher: 3
>
Maybe Oracle doesn't support start_tls. Before you try start_tls() you
should read the root_dse() and check if the supportedExtension attribute
contains the start_tls OID, ie 1.3.6.1.4.1.1466.20037. If that value is not
there the server officially doesn't support start_tls.
>
> When I run the following:
>
> openssl s_client -host oracleOidServer -port 636 -CAfile oracle.pem -debug
This is testing LDAPS, ie LDAP over SSL on port 636. (cf HTTPS is HTTP over
SSL on a different port)
> SSL handshake has read 1328 bytes and written 342 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : SSLv3
> Cipher : DES-CBC3-SHA
> Session-ID: E0E6EDA8AE37D9DA4167D30F68699A3F
> Session-ID-ctx:
> Master-Key:
> 3FB9984032B664D176E1613DB156D45022BD8A64698CD879C6282049E78D4F2A66D72C7467D462
> 738C839234DEE19A12
> Key-Arg : None
> Start Time: 1042737956
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
>
Yes, that works.
> If I try to run this port 389 I get the following:
>
> CONNECTED(00000003)
> write to 0814DAC8 [0814DB10] (130 bytes => 130 (0x82))
> 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... .....
> 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f......
> 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................
> 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a..
> 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@...
> 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................
> 0060 - 00 80 4c 82 1f 51 66 17-63 ad 57 4b 57 ae b7 08 ..L..Qf.c.WKW...
> 0070 - a6 00 41 95 b7 c7 94 d5-aa e0 5e 43 c2 2a 88 84 ..A.......^C.*..
> 0080 - 47 b3 G.
> read from 0814DAC8 [08153070] (7 bytes => 0 (0x0))
> 24369:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:
That doesn't work, which is correct.
> I would assume the start_tls would point to port 636 rather than 389.
> When I set the port to 636 in the constructor it just hangs the program.
>
> keith
You're confused :-)
LDAP servers will often listen on two ports, 389 and 636 (the defaults.)
On port 389 the server listens to plain LDAP which is unencrypted (unless
you negotiate confidentiality using SASL). On port 636 the server expects an
SSL connection and then LDAP on top of that.
The wrinkle is start_tls. Start_tls is used on port 389, and when you use it
it converts the sockets being used to SSL (er, TLS) sockets thus encrypting
the connection. It means you can get an encrypted connection using the
standard port and without using SASL.
Your program using start_tls() is correct in talking to port 389, and the
server is simply saying that it doesn't support start_tls even though it
supports LDAPS.
Cheers,
Chris
|
